Cyber Resilience

CVE-2023-31716

High

Published: 22 September 2023

Published
22 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.3711 97.3th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31716 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Frangoteam Fuxa. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

FUXA versions 1.1.12 and earlier are affected by a local file inclusion vulnerability that can be triggered via the file parameter, for example by supplying fuxa.log. The issue is tracked as CVE-2023-31716 and carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction, with high impact limited to confidentiality.

An unauthenticated remote attacker can exploit the flaw to read arbitrary local files on the server, directly exposing sensitive data such as logs or configuration contents. The weakness maps to CWE-98, indicating improper control of filenames used in include or require operations.

Public references consist of a proof-of-concept repository and the upstream FUXA project page; neither reference supplies patch details or mitigation steps. The EPSS score stands at 0.3711 with an identical recorded peak, indicating no material post-disclosure rise.

EU & UK References

Vulnerability details

FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

frangoteam
fuxa
≤ 1.1.12

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References